Home / ubuntu / Questions / 1527604
Accepted
João Pimentel Ferreira
Asked: 2024-09-21 22:21:39 +0800 CST

UFW - allow requests only from a certain region/locale

  • 772
$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Nginx Full                 ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
Nginx Full (v6)            ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)

How can I allow SSH (22/tcp) requests only from a certain region, country or continent?

This question is not related to allowing only requests from localhost, for example, because the IP of locahost is already known. I want something like to have all the IP ranges of a certain country in a text file and embed them into ufw allow rule.

ssh

1 Answers

  1. Best Answer

    To add an IP block list to Uncomplicated Fire Wall (UFW) use the following instructions from this Gihub script the contents of which are reproduced below.

    With all acknowledgements to poddmo the author of UFW-blocklist which is an IP blocklist extension for Ubuntu ufw.

    INSTALLATION

    Install the ipset package

    sudo apt install ipset

    Backup the original ufw after.init example script

    sudo cp /etc/ufw/after.init /etc/ufw/after.init.orig

    Install the ufw-blocklist files

    git clone https://github.com/poddmo/ufw-blocklist.git
cd ufw-blocklist
sudo cp after.init /etc/ufw/after.init
sudo cp ufw-blocklist-ipsum /etc/cron.daily/ufw-blocklist-ipsum
sudo chown root:root /etc/ufw/after.init /etc/cron.daily/ufw-blocklist-ipsum
sudo chmod 750 /etc/ufw/after.init /etc/cron.daily/ufw-blocklist-ipsum

    Download an initial IP blocklist from IPsum

    curl -sS -f --compressed -o ipsum.4.txt 'https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt'
sudo chmod 640 ipsum.4.txt
sudo cp ipsum.4.txt /etc/ipsum.4.txt

    Start ufw-blocklist

    sudo /etc/ufw/after.init start

    NOTE: It takes time to load the blocklist entries into the ipset. Watch the progress with:

    sudo ipset list ufw-blocklist-ipsum -terse | grep 'Number of entries'

    USAGE

    The blocklist is automatically started and stopped by ufw using the enable, disable and reload options. Ubuntu UFW wiki Page

    There are 2 additional after.init commands available: status and flush-all

    • The status option shows the count of entries in the blocklist, the hit count of packets that have been blocked and the last 10 log entries. The status option is further explained in the Status section below.
    • The flush-all option deletes all entries in the blocklist and zeros the iptables hit counters:

    sudo /etc/ufw/after.init flush-all

    From this state you can manually add IP addresses to the list like this:

    sudo ipset add ufw-blocklist-ipsum a.b.c.d

    This is useful for testing. Use /etc/cron.daily/ufw-blocklist-ipsum to download the latest list and fully restore the blocklist.

    STATUS

    Calling after.init with the status option displays the current count of the entries in the blocklist, the hit counts on the firewall rules (column 1 is hits, column 2 is bytes) and the last 10 log messages. A sample output can be seen in the Github extension post linked.

    Further references:

    Geo Blocking
    Block Countries
    IP Addresses Ranges by Country

    • 2